Aliases

Contents

When a Cascade-infected file is introduced to a system and executed, the virus checks the BIOS for the string, "COPR. IBM", an IBM copyright notice in the BIOS. If it finds the string, it will try, but fail, to stop there, then the virus becomes memory resident. Every time a .com file is run, the virus begins to infect it. It replaces the first three bytes of the new host file with code that points to the virus code. The virus places the original first three bytes of the host in its own code.

Cascade's payload is executed when an infected file is run between October 1 and December 31 in 1988. It causes the characters on a DOS screen to randomly fall to the bottom in a heap of numbers and letters. It may also cause some noise.

The Cascade virus spawned about 40 variants. A few of them are attempts by the creator to correct the bug that allows it to infect IBM computers, but it is never completely fixed and these variants infect the IBM computers anyway.

The falling letters payload in some variants may activate after October 1 in 1988, i.e. it always activates.

There are also some variants that replaced the falling letters payload with one that formats the hard drive. Others simply have a different length or contain a message in the virus body.

Ironically the virus not only infected some IBM computers, it infected nearly an entire IBM office in Belgium. This prompted IBM to publicly release its antivirus product, where it was previously only available for the company to use.

The virus contained code that would prevent it from running on computers where it found an IBM copyright. This part of the virus's code was buggy, so the virus would infect even if the computer has an IBM copyright. The creator released a few variants of the virus, but the bug was never fixed.

McAfee reports that Cascade was originally a trojan and allegedly the viral part was added in late 1987. the trojan was designed to turn off the capslock when the computer first starts and the falling characters were an accident. In spite of the fact that this has been supposedly reported by antivirus experts, it still seems that the story is a bit unlikely.

If a DOS Virus which triggers the display of text such as Techno activates its payload while Cascade's payload is running, Cascade will temporarily halt its payload until the other virus has finished deploying theirs, then resume its 'letter dropping' behaviour.